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S1 1WB 
Summary 


The complainant requested under the Freedom of Information Act 2000 (the 
‘Act’) that he received the workplace email addresses of all of the public 
authority’s staff. The public authority confirmed that it held the information, 
but believed that it was exempt. It applied section 36(2)(c) [disclosure would 
prejudice the effective conduct of public affairs], section 40(2) [third party 
personal data] and section 31(1)(a)[disclosure would be likely to prejudice 
the prevention of crime] to the information. The complainant requested an 
internal review and the public authority maintained its position. The 
complainant then referred this case to the Commissioner. 


The Commissioner has carefully considered this case and has determined 
that he does not uphold the complaint. He finds that section 36(2)(c) was 
engaged and that in all the circumstances the public interest favoured the 
maintenance of the exemption over the disclosure of the information. He has 
therefore not considered the operation of either section 40(2) or section 
31(1)(a). He did find a procedural breach of section 17(3), but requires no 
remedial steps to be taken. 


The Commissioner's Role 


1. The Commissioner's duty is to decide whether a request for information 
made to a public authority has been dealt with in accordance with the 
requirements of Part 1 of the Freedom of Information Act 2000 (the 
“Act”). This Notice sets out his decision. 
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Background 


2. The complainant owns a website that enables all Universities to receive 
requests for information simultaneously. He believes that the website 
should be able to investigate higher education matters through FOI 
requests and publishes the results. 


3. This request has been made to every University in the UK and the 
complainant has told the public authority that he requires this 
information to inform the staff about his website. He explained that 
each member of staff was to be invited to suggest topics worthy of 
investigation in confidence. 


The Request 


4, On 26 April 2010 the complainant requested the following information 
from the public authority: 


‘FOI Request - Staff E-mail Addresses 


I would like to request the following information under the 
provisions of the Freedom of Information Act. I would ask you to 
send your response by e-mail. 


A list of the workplace e-mail addresses for all staff. 


By workplace I am referring to corporate e-mail addresses 
ending in .ac.uk. 


By staff I am referring to all individuals employed by your 
institution. 


Please note that I do not require any segmentation of the list or 
any associated details.’ 

5. On 20 May 2010 the public authority issued its response. It confirmed 
that it held the relevant information that was embraced by the request. 
However, it believed that it was entitled to withhold the information on 
the following three grounds: 
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1. Section 36(2)(c)! - the public authority explained that it believed 
that the disclosure of the full list would be likely to prejudice the 
effective conduct of public affairs. It explained that the Information 
Tribunal (the ‘Tribunal’) had considered a similar case in 
EA/2006/0027 which asked for the contact directory of the Ministry 
of Defence.” It explained that its Vice Chancellor has considered the 
request, alongside the Commissioner’s guidance and the Tribunal 
decision, and has concluded that in his opinion the exemption was 
engaged and that the public interest favoured the maintenance of 
the exemption. It explained that it relied on paragraphs 88 and 89 
of the Tribunal verdict and believed it was entitled to rely on this 
exemption because it has chosen to provide sufficient external 
contacts to enable its system to be efficient and it did not believe 
that the public interest would be served through the disruption of its 
service through unwanted emails. It also explained that the 
disruption has been apparent from its receipt of spam attacks after 
the inadvertent previous disclosure of part of the directory; 


2. Section 40(2) - it explained that this information amounted to the 
personal data of its staff and that it believed it could refuse to 
provide the information on this basis; and 


3. Section 31(1)(a) - it explained that it believed that the disclosure of 
the information would be likely to prejudice the prevention or 
detection of crime, because it would enable someone to launch a 
denial of service attack against the University. 


6. On 29 May 2010 the complainant wrote to the public authority to 
request an internal review. He challenged the application of each of the 
exemptions: 


1. Section 36(2)(c) - He stated that very few other Universities had 
tried to apply this exemption. He explained that his reading of the 
Information Commissioner's guidance says that the purpose of 
section 36 is to provide public authorities with decision making 
space and that this case was distinct. In addition, he explained that 
he believed that EA/2006/0027 could be distinguished as ‘there are 
a considerable number of unique factors which do not apply to 
Universities’. He also explained that while he was not an expert 
about denial of service attacks, he believed that the emails that are 
already on the Universities website would be sufficient; 


1 All sections cited in this Decision Notice can be found in full in the Legal Annex that is 
attached to the end of it. 

2 This Information Tribunal decision can be found at the following link: 

http ://www.informationtribunal.gov.uk/DBFiles/Decision/i101/MoD. pdf 
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2. Section 40(2) - He argued that University email addresses did not 
constitute personal data and explained that he believed that this 
was the ICO’s view. He asked to be directed to guidelines that state 
conclusively that email addresses constitute personal data, why it 
feels able to disclose some email addresses on its website and 
whether consent had been provided; and 


3. Section 31(1)(a) - He explained that no other University had used 
this exemption, said that he had read the Commissioner’s guidance 
and believed that the exemption was irrelevant. 


7. On 9 July 2010 the public authority contacted the complainant. It 
explained that the internal review was underway and that the 
reviewers were actively considering the application of sections 36(2)(c) 
and 40(2). It asked for the following to enable it to carry out its 
review: ‘For what purpose or purposes are you requesting this 
information and what legitimate interest do you believe that this would 
serve’. 


8. On 13 July 2010 the complainant replied and said: 


‘I am willing to set aside the principle that FOI requests be 
treated as applicant and purpose blind. The major concern 
outlined in your initial response was about e-mail traffic so I will 
give a detailed explanation on this topic. I acknowledge that 
every FOI response sets something of a precedent and accept 
that whilst my stated purposes might prove acceptable another 
applicant could come along requesting the same information but 
intending to use it in a way that was not acceptable. For the 
record I have not requested names and phone numbers and have 
no intention of phoning anyone. 


I requested the list of staff e-mail addresses in order to inform 
staff about my website AcademicFOI.Com. This site investigates 
higher education matters through FOI requests and publishes the 
results. University staff are invited to suggest in confidence 
topics worthy of investigation. I attach an outline of the wider 
aims of the project. 


My understanding is that sending e-mails to corporate e-mail 
addresses such as .ac.uk ones is lawful so long as a postal 
address and simple method of opting out of future mailings are 
provided. I have no intention of selling, passing on or publishing 
any lists of university staff e-mail addresses. 
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I would envisage contacting university staff once or twice per 
year. I am combining the different university e-mail lists together 
and sorting them in alphabetical order. I will then send to blocks 
of e-mail addresses hourly on a pre scheduled delivery timetable 
over a four week period. For a university with 1,000 staff there 
would be typically 6 e-mails per hour and therefore no danger of 
overloading the university e-mail server. From my own point of 
view the e-mails will be spread over a four week period so as not 
to overload my own website server located in Germany. 


I have so far contacted 26,500 university staff across 30 
universities including your own. Typically 25% look up the 
website, 15% add the website into their internet favourites and 
0.5% ask to be removed from future mailings. 


In summary I do not believe that the use I intend to make of the 
list will cause the sort of disruption outlined in the initial response 
and decision notice referred to. Your university already publishes 
1,100 staff e-mail addresses on your website. There are a total of 
226,000 staff e-mail addresses published across the websites of 
the 148 HE institutions in the UK. I do not believe that the 
release of some extra ones to me will change the existing 
patterns of e-mail traffic in any material way. 


My interpretation is that for a Section 31 exemption to be valid a 
potential denial of service attack would need to be directed at an 
organisation routinely involved in the prevention or detection of 

crime.’ 


9. On 10 August 2010 the public authority communicated the results of its 
internal review. It explained that it had considered all the arguments 
raised and decided to uphold its position. It provided further detail 
about the application of the exemptions: 


1. Section 36(2)(c) - it explained that the decision was taken by the 
appropriate individual and the decision was taken on the basis of 
relevant evidence and its past experiences. It explained that it 
believed that the disclosure of the whole list would prejudice the 
University’s ability to offer an effective public service or meet its 
wider objectives and purposes, to provide education and conduct 
research. He also considered the public interest test and concluded 
that it favoured maintaining the exemption. It explained that it was 
happy that many of the principles mentioned in EA/2006/0027 were 
relevant in this case - particularly paragraphs 60, 65, 66, 88 and 
89. It said that the Vice Chancellor had also considered the case 
again in light of the complainant’s arguments above. It explained 
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that this did not change the verdict as it believed that the amount of 
email traffic would be greater than it would receive otherwise; 


2. Section 40(2) - it has 5291 email addresses. This number includes 
staff who work for it on a temporary basis. The University has asked 
the ICO twice about this matter and it was told that this information 
could amount to personal data and it believed it does. Its data 
protection policy explains that the information will only be given out 
where reasonable and necessary for the performance of an 
individual’s roles, unless they provide their consent. It provided real 
detail about why it did not believe that the disclosure of the 
information would accord with any of the conditions in Schedule 2 of 
the Act and therefore would contravene the first data protection 
principle and engage the exemption. It explained that it was mindful 
that the email addresses of those who are appropriately senior or in 
public facing roles would not be caught by section 40(2). However, 
it believed that it would exceed the cost limit to identify those 
individuals?; and 


3. Section 31(1)(a) — it explained that it continued to believe that the 
release of information would create an extra risk of a denial of 
service attack against it, which was an offence under the Computer 
Misuse Act 1990 and that it would prejudice the prevention or 
detection of crime. It quoted the ICO guidance which provided 
EA/2006/0060 as an example. It said it was content that the 
exemption continued to be engaged. 


10. It should be noted that at this stage, the public authority failed to 
outline in detail the public interest considerations that it took into 
account in disclosing the information or expressly those that it took 
into account in maintaining the exemption. It was therefore not clear 
about how this was considered by the time of internal review. 


3 For the avoidance of doubt, the Commissioner does not believe that the time spent 
considering the operation of any exemption can be correctly taken into account when 
considering the appropriate limit. This accords with the Information Tribunal Decision in: 
http://www. informationtribunal.gov.uk/DBFiles/Decision/i359/S_Yorkshire_Police_v_IC_(EA- 
2009-0029) _Decision_14-12-09_(w).pdf 


Reference: FS50344341 2 
ICO. 


The Investigation 


Scope of the case 


11. On 15 August 2010 the complainant contacted the Commissioner to 
complain about the way his request for information had been handled. 
The complainant specifically asked the Commissioner to consider the 
following points: 


= The University already published 1,100 email addresses on its 
website; 


= That according to his understanding these email addresses 
would be sufficient should someone nefarious wish to target the 
University with a denial of service attack; 


= Therefore, the provision of all the email addresses would not 
increase the risk of such an attack; and 


= He was not convinced by the arguments about section 31(1)(a) 
and explained that he did not see email addresses as being the 
equivalent to providing information to potential burglars about 
empty houses (a reference to EA/2006/0060). 


12. The Commissioner has been asked by the complainant to consider a 
number of requests for the email addresses of all staff. The 
complainant has explained that he wanted the Commissioner to decide 
whether he could receive the full list in every case. He stated that the 
only restricted option he would accept would be a full list with 
redactions for staff who have specifically requested anonymity on 
grounds of personal safety. 


Chronology 


13. On 3 September 2010 the Commissioner wrote to the complainant to 
explain that he had received an eligible complaint. 


14. He also wrote to the public authority on the same day to inform it of 
the complaint and to make detailed enquiries about its application of 
the section 36(2)(c) exemption. 


15. On 8 October 2010 the public authority provided the Commissioner 
with an electronic copy of its response. The Commissioner received a 
hard copy with its attachments on 11 October 2010 and acknowledged 
safe receipt. 
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16. On 21 October 2010 the Commissioner telephoned the public authority 
to seek further information and received that information on the same 
day. 


Findings of fact 


17. The person designated as being the Qualified Person for this public 
authority is the Vice Chancellor — Professor Phillip Jones. This 
corresponds with an Order that was signed by Mr Derek Twigg on 21 
December 2004. The relevant content of this Order has been reiterated 
by the new government at the following link‘. 


18. The Commissioner has checked the format of the withheld information 
and can confirm that there are 5291 addresses that are mostly in the 
format j.bloggs@shu.ac.uk (unless there two people with the same 
surname and same initial - in which case they choose their own 
designation that includes their surname). 


Analysis 


Exemptions 
Section 36(2)(c) - prejudice to the effective conduct of public affairs 


19. The Commissioner has chosen to consider section 36(2)(c) first 
because should it be appropriately applied then it would cover all of the 
withheld information. Only one exemption needs to be applied 
correctly to withhold the information under the Act. 


20. Section 36(2)(c) provides that information is exempt if in the 
reasonable opinion of the qualified person, disclosure of the 
information would, or would be likely to, prejudice the effective 
conduct of public affairs. It is a qualified exemption, so subject to a 
public interest test. The Commissioner will first consider whether the 
exemption is engaged and, if so, will move on to consider where the 
balance of public interest lies. 


* http://www. bis.gov.uk/assets/biscore/corporate/docs/foi/foi-authorisation-of-a-qualified- 
person. pdf 
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Is the exemption engaged? 


21. In section 36(2)(c) cases, the Commissioner’s role, when considering if 
the exemption is engaged, is to decide whether the qualified person’s 
opinion that the disclosure would, or would be likely to, prejudice the 
conduct of public affairs is a reasonable one. 


22. In order to do this it is important to understand what the Qualified 
Person meant when he gave his opinion. There are two possible limbs 
of the exemption on which the reasonable opinion could have been 
sought: 


= where disclosure “would prejudice” the effective conduct of 
public affairs; and 


= where disclosure “would be likely to prejudice” the effective 
conduct of public affairs. 


23. The public authority explained that the question that it posed to its 
Qualified Person was phrased slightly differently than the second limb, 
but that it believed that what he was asked was analogous. It asked its 
Qualified Person: 


“whether it was likely that the disclosure...would result in 
prejudice to the effective conduct of public affairs.” 


24. The Commissioner’s view is that the slight difference in framing the 
question makes no material difference in respect to the point that the 
threshold that was considered by the Qualified Person was that 
disclosure ‘would be likely to prejudice the effective conduct of public 
affairs’. This means that the Qualified Person’s decision was that he 
was of the view that the chance of the prejudice being suffered was 
more than a hypothetical possibility and that there was a real and 
significant risk”. The Commissioner will judge whether the opinion 
was a reasonable one on the basis of this threshold. 


25. This contrasts to the first limb which would have required the prejudice 
to be more probable than not. 


26. In order to establish that the opinion of the Qualified Person was 
reasonable and that the exemption has been engaged the 
Commissioner must: 


° This threshold was confirmed in paragraph 15 of the Information Tribunal decision in John 
Connor Press Associates Limited v The Information Commissioner [EA/2005/0005]: 
http://www.informationtribunal.gov.uk/DBFiles/Decision/i89/John%20Connor. pdf 
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= Ascertain who the qualified person is; 
=" Establish that an opinion was given; 
=" Ascertain when the opinion was given; and 


= Consider whether the opinion was objectively reasonable and 
reasonably arrived at. 


The first three criteria can be dealt with swiftly. As noted above, the 
Qualified Person is the Vice Chancellor. The Commissioner has 
established that the Vice Chancellor has provided two opinions in this 
case and their dates were as follows: 


1. 20 May 2010 - this opinion was given before the refusal notice was 
issued; and 


2. 19 July 2010 - this opinion was given in light of the request for 
internal review and considered whether the Vice Chancellor wished 
to revise his view in light of the complainant’s arguments. 


The last criterion noted in paragraph 26 requires detailed analysis. In 
the case of Guardian & Brooke v Information Commissioner & the BBC 
[EA/2006/0011 and 0013] (‘Guardian & Brooke’), the Information 
Tribunal stated that “in order to satisfy the subsection the opinion must 
be both reasonable in substance and reasonably arrived at.” 
(paragraph 64). The Commissioner will consider each of these 
requirements in reverse order: 


Reasonably arrived at 


29. 


30. 


In determining whether an opinion had been reasonably arrived at, the 
Tribunal in Guardian & Brooke suggested that the qualified person 
should only take into account relevant matters and that the process of 
reaching a reasonable opinion should be supported by evidence, 
although it also accepted that materials which may assist in the making 
of a judgement will vary from case to case and that conclusions about 
the future are necessarily hypothetical. 


When considering whether the opinion was reasonably arrived at, the 
Commissioner has received a copy of the first opinion and an email 
from the Vice Chancellor explaining what was taken into account during 
the internal review process. He has also been provided with a large 
quantity of evidence that relates to what was considered when the 
opinion was provided by the decision maker. The Commissioner's view 
is that the evidence considered when coming to an opinion is an 
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important factor in considering whether that opinion is reasonably 
arrived at and has therefore noted what was considered in respect to 
each opinion below: 


1. The first opinion was provided when the decision maker was in 
possession of the following information: 


i. A copy of the request for information and an explanation about 
its background; 


ii. A submission from the governance officer which explained the 
nature of the exemption, when the ICO guidance explains that 
section 36(2)(c) could be considered, the level of prejudice required 
and public interest considerations; 


iii. A Summary of EA/2006/0027 to allow the decision maker to 
consider its similarities and differences to the current case; 


iv. An explanation about the availability of the information that is 
embraced by the request; 


v. An explanation of the perceived difficulties the release of the 
information would have, including relevant examples in the past; 


vi. An explanation of the denial-of-service attack and why it may be 
more likely to occur if this information was disclosed; 


vii. An explanation from the person in charge of IT about the 
likelihood of problems being generated from the disclosure; 


viii. A detailed annex containing the public interest factors that the 
information officer believed favoured both the maintenance of the 
exemption and the disclosure of the information; and 


ix. An explanation of other exemptions that are also being 
considered. 


2. The second opinion was provided when the decision maker was in 
possession of the following information: 


i. The same information outlined in part 1; and 


ii. The complainant’s request for internal review and his further 
submissions. 
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From these documents, the Commissioner is satisfied that the qualified 
person appears to have taken into account relevant considerations and 
does not appear to have been influenced by irrelevant ones. He has 
determined that the Qualified Person’s opinion was reasonably arrived 
at. 


Reasonable in substance 


32; 


In relation to the issue of whether the opinion was reasonable in 
substance, the Tribunal indicated in Guardian & Brooke that “the 
opinion must be objectively reasonable” (paragraph 60). The 
Commissioner has asked the public authority to provide a detailed 
explanation of the reasons why it believes that the disclosure of the 
withheld information would be likely to cause prejudice to the effective 
conduct of public affairs. The reasons the Commissioner considers are 
relevant are: 


1. The University explained that it was worried about receiving 
Spam that it believed would disrupt it from carrying out its public duty. 
It explained that it had 5291 email addresses and even if only two 
emails were sent a year to each and 30 seconds were spent reading 
them — it would still amount to 881 hours of working time that would 
be used up. It explained that depending on the number of emails that 
it received that there could be a potentially unlimited drain on its 
resources; 


2, It explained that the request itself was unlikely to be a one off as 
the information requested would become less useful with time. The 
Commissioner does not accept that this argument should have any 
weight. This is because future requests should be considered on their 
own merits; 


4. It noted that the disclosure of the list under the Act would not be 
just to the complainant but to the whole public at large. Therefore, 
irrespective of the complainant’s intentions it must exhibit caution 
about the release of the information to the whole public; 


5. It explained that it had evidence that the complainant had used 
information obtained through FOIA to conduct a targeted campaign 
against another University. The public authority expressed concern that 
the disclosure of the whole list would enable its functions to be 
disrupted from a similar campaign; 


6. It explained that email is crucial and underpins the public 
authority’s core business. It said that it is used by all administrative, 
managerial and academic staff, is the key to contacting overseas 
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teaching partners and also to contact workplaces where students are 
on placement. IT supports the University’s teaching and research and 
HR, finance and student information systems are run by its IT staff. It 
explained that disruption to its email service at key times would be 
highly difficult to manage due to the nature of its role - for example 
during admissions (particularly in clearing), online graduation or 
extension deadlines. In conclusion, all its key services are dependent 
on email; 


Z: The public authority has calibrated its website so that emails that 
are part of its core business are directed to the correct place enabling 
enquiries to be dealt with by those individuals without duplication and 
in the most efficient way. The public authority explained that its staff 
had expressed concern about the number of emails that they were 
receiving and the University has introduced a policy to address these 
concerns. It explained that it was worried that further unnecessary 
emails would cause its staff stress and it believed that this would 
prejudice the effective conduct of public affairs; 


8. It explained in addition its staff have varying knowledge of IT and 
awareness of potential phishing attempts or email scams and it felt it 
prudent to protect its staff. In addition, it believed that the receipt of 
unexpected emails would lead to members of its staff making queries 
to other staff because they were concerned that their personal data 
was not receiving appropriate protection. This happened before when 
there was a spam incident resulting from its inadvertent previous 
disclosure of part of its directory in 2007. Numerous queries were 
raised with the IT staff, finance, human resources or the secretariat 
and all these queries required answers which will take the staff away 
from their core duties. While the Commissioner notes that there is a 
distinction between unplanned and planned disclosures, the 
Commissioner is still content that this is a relevant consideration; 


9. It also explained that the University may be burdened with legal 
and financial liabilities which result from successful phishing attacks. 
The University explained that it has had four complaints about this 
matter in the past and that similar claims may have more success if it 
could be proved that the likelihood of phishing attacks was connected 
to a disclosure it has made; and 


10. Finally, it provided detailed evidence of an attack that it received 
after the inadvertent disclosure of part of the staff directory in 2008. 
The Commissioner notes that there were two attacks and he has 
received details about how they operated and their effect on the 
University. While the Commissioner notes that there is a distinction 
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between unplanned and planned disclosure, the Commissioner is still 
content that this is a relevant consideration. 


33. The Commissioner has also carefully considered the complainant’s 
counterarguments. The Commissioner has noted that the University 
has published 1100 of its email addresses and that the complainant 
has argued that this in itself has not adversely impacted on the public 
authority. He also notes the complainant’s view that there is therefore 
no evidence to suggest that publishing a full list would increase the risk 
to public authority of for example a denial of service attack. However 
he accepts that there is a difference in the current availability of the 
1100 email addresses (which the public authority accepts are 
necessary for the performance of an individual’s role or duties) and the 
disclosure of a full list containing 5291 email addresses. He has also 
noted the complainant’s arguments that he would use the list 
responsibly. It is important to note that disclosure of information under 
the Act should be regarded as disclosure to the world at large. This is 
in line with the Tribunal in the case of Guardian & Brooke v The 
Information Commissioner & the BBC (EA/2006/0011 and 
EA/2006/0013) (following Hogan and Oxford City Council v The 
Information Commissioner (EA/2005/0026 and EA/2005/0030)) 
confirmed that, “Disclosure under FOIA is effectively an unlimited 
disclosure to the public as a whole, without conditions” (paragraph 
52).° The motivations of the complainant are therefore irrelevant. 
However, the argument that equivalent public authorities have not 
withheld the same information that was requested has been evidenced 
by the complainant. While it must be noted that the application of an 
exemption is discretionary, the Commissioner must consider whether 
the prejudice has been overstated by this public authority given the 
alternative approach by the others. He also considered the 
complainant’s submissions about denial of service attacks. 


34. The complainant has also argued that the amount of email traffic would 
not be not affected in a material way through the disclosure of the full 
list of email addresses. However the public authority has evidenced the 
spikes in traffic that resulted from the disclosure of part of the 
directory in the past. In view of this, the Commissioner is not satisfied 
that the release of the list to the public would not affect the traffic that 
the public authority receives. 


35. The complainant also argued that sophisticated IT systems ought to be 
able to counteract any possible prejudice that the public authority 
would experience through the disclosure of the list. The Commissioner 


http://www. informationtribunal.gov.uk/Documents/decisions/quardiannews HBrooke_v_inf 
ocomm.pdf. 
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accepts that there is some merit to this argument. However the 
Commissioner has noted what happened following the disclosure of 
part of the directory in the past and is willing to accept that a method 
of attack can vary and there is always likely to be a time delay 
between where the problem is noted and counteracted. This delay can 
mean that the attack has already done considerable damage and 
therefore the existence of IT security does not mitigate the prejudice to 
a significant extent. 


The Commissioner has carefully considered the arguments presented 
by both parties in this case and is satisfied that the Qualified Person’s 
opinion was objectively reasonable in substance. This is because he is 
satisfied that in the particular circumstances of this case it was 
reasonable for the Qualified Person to conclude that the disclosure of 
the withheld information to the public would be likely to cause an 
adverse effect to the public authority’s ability to carry out its core 
functions. He considers that in this case the evidence supported the 
opinion of the Qualified Person because the public authority’s was able 
to evidence that the disclosure of similar information has had an 
adverse effect in the past. The Commissioner also accepts that it 
should be entitled to organise itself so that the correct members of 
staff receive the correct emails to prevent both duplication and 
wastage of its limited resources. 


The Commissioner has concluded that the opinion of the qualified 
person appears to be both reasonable in substance and reasonably 
arrived at, and he therefore accepts that the exemption found in 
section 36(2)(c) is engaged. 


The Public Interest Test 


Section 36(2)(c) is a qualified exemption. That is, once the exemption 
is engaged, the release of the information is subject to the public 
interest test. The test involves balancing factors for and against 
disclosure to decide whether, in all the circumstances of the case, the 
public interest in maintaining the exemption outweighs the public 
interest in disclosing the information. 


The Commissioner will commence his analysis by considering those 
factors that favour disclosure. He will then consider those that favour 
the maintenance of the exemption, before concluding where he 
considers the balance lies. 
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Public interest arguments in favour of disclosing the requested 
information 


The public authority has explained to the Commissioner that its 
starting point is always disclosure. It also listed the public interest 
factors that it believed to favour disclosure: 


= The public interest in ensuring transparency in the activities of 
public authorities; 


= The public interest in ensuring that members of the public are 
able to contact appropriate staff within the public authority; and 


= The public interest in staff being able to access certain external 
services for their work. 


It explained that it understood that the public interest in ensuring the 
transparency of the public authority’s work is always strong as it is the 
fundamental objective of the Act. It also understood that it should be 
as accountable as possible. 


However, it explained that these arguments should be given little 
weight in this case, as it believed that the disclosure of the information 
would not provide greater transparency of the University and the list 
on its own does not tell the requestor anything about its activities. 


The Commissioner has considered the accountability arguments against 
the information that has been requested. He finds that it is appropriate 
to consider the Information Tribunal’s view about accountability in 
Cabinet Office v Lamb and the Information Commissioner 
[EA/2008/0024 & 0029] which explained ‘Disclosure under FOIA should 
be regarded as a means of promoting accountability in its own right 
and a way of supporting the other mechanisms of scrutiny, for 
example, providing a flow of information which a free press could use’. 
This indicates that even though the email addresses on their own add 
little to the public understanding of how the public authority operates, 
their disclosure may facilitate or support scrutiny by allowing the 
applicant to invite the public authority’s staff to raise issues of concern. 
He therefore finds that the arguments about accountability should be 
given some weight in this case. However the weight of these 
arguments is mitigated by further evidence that has been provided. 
This evidence shows that there is real awareness of FOI within the 
University, that there are set channels where members of staff can 
request management information and that the public authority has 
already provided a facility to allow staff to raise issues anonymously. 
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The Commissioner also accepts that there is a public interest in 
knowing the number of staff and who are employed by public funds. In 
addition, there is a public interest in making it possible to contact 
relevant individuals where their expertise would merit their contact. 
However, in this case it must be noted that the number of staff is 
known (5291) and the list by itself provides no information that would 
enable specific individuals to be selected. 


The complainant has also argued that the public authority’s staff are 
likely to be interested in the services that he offers. He supported this 
argument by the interest shown in his service when he has approached 
other public authorities. He explained that the marketing of the service 
provided a real benefit to the staff. The Commissioner considers that 
some services will be useful to individual members of staff, however he 
must consider what the effect would be of disclosing this information to 
the whole public. 


Public interest arguments in favour of maintaining the exemption 


The public authority has provided detailed submissions about why it 
believes that the public interest favours the maintenance of the 
exemption. It is important to note that only factors that relate to the 
likely prejudice of the effective conduct of public affairs can be 
considered in this analysis. 


The public authority has detailed the following public interest 
arguments for the Commissioner to consider: 


= There is a public interest in ensuring that public authorities are 
allowed to provide the services that they offer without undue 
disruption and hindrance. External email enquiries which are not 
routed though agreed channels cause disruption and waste staff time; 


= The undermining of communication channels is linked to the nature of 
the information requested. The public authority explained that most 
of its public facing staff work in defined specific areas. The wording of 
the request does not differentiate between areas - so any possible 
communication will either be sent to all staff or randomly without 
reference to their area of work; 


= There is a public interest in ensuring that enquiries are dealt with in a 
consistent and prompt manner and are therefore directed through 
agreed and publicised service channels; 

= The public authority has an interest in protecting its reputation by 
delivering consistent messages regarding procurement. It does so by 
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routing enquiries through agreed channels and the disclosure of the 
list may lead to those channels being subverted; 


Any release of the list under the Act would be to the public. The 
public authority has evidenced to the Commissioner that this would 
lead to many more unsolicited marketing messages, more spam and 
disruption to its staff; 


It is in the public interest for the public authority to protect its staff 
from being bombarded or targeted by external contacts (particularly 
the most junior staff) and from them being sent irrelevant and 
unwanted emails as this can cause disruption to staff, confusion and 
distress; 


It is in the public interest for the public authority to protect its staff 
from spam emails which may be fraudulent in nature, such as 
phishing emails; 


The public authority has a legitimate interest in ensuring that all 
University communications are genuine and the reputation of the 
public authority is not damaged by fraudulent mailings as occurred in 
the 2008 case. The reputation may be damaged because members of 
staff would have less faith in its protection of their accounts; 


The public authority has a duty of care to its staff to take reasonable 
steps to prevent staff being misled by emails purporting to come from 
a University source which may cause damage or distress to staff; 


It is unlikely that the release of the list would improve transparency 
and accountability to any real extent and it would not bring to light 
information affecting public health and safety; and 


= The public authority believes that the information would make a 
denial of service attack easier and there are crucial parts of the year 
where this could truly undermine its core purposes. 


When making a judgment about the weight of the public authority’s 
public interest arguments, the Commissioner considers that he is 
correct to take the severity, extent and frequency of prejudice or 
inhibition to effective conduct of public affairs in to account. 


The Commissioner is satisfied that there are two main themes of the 
public interest arguments that favour the maintenance of the 
exemption: 
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1. That the provision of the list to the public would undermine 
the channels of communication and lead to a consistent loss of 
time from the public authority’s core functions; and 


2. That the provision of the list to the public would leave the 
public authority and its staff more open to phishing attacks and 
the resulting problems that may be suffered. 


The Commissioner is satisfied that the first theme of arguments would 
amount to a fairly severe prejudice, whose extent and frequency would 
be potentially unlimited. He is therefore satisfied that these public 
interest factors should be given real weight in this case and they favour 
the maintenance of the exemption. 


The Commissioner is also satisfied that the second theme of arguments 
relate to a severe prejudice, whose extent and frequency would be 
potentially unlimited. As noted above, he has considered the 
complainant’s counterarguments that IT security systems should be 
able to mitigate this prejudice. However, he notes that IT security 
systems are not perfect and the nature of attacks is always evolving. 
The Commissioner considers that the presence of IT security systems 
cannot be taken into account, because future attacks may be able to 
cause damage before the IT security systems can intervene. He is 
therefore satisfied that this prejudice would be likely from the release 
of this information to the public and that these public interest factors 
should be given real weight in this case and favour the maintenance of 
the exemption. 


The Commissioner has considered the competing arguments about 
whether the likelihood of denial of service attacks would or would not 
be increased. The Commissioner has considered the arguments of both 
sides and has concluded that disclosure of the list would not pose a 
severe risk of increase to the potency of denial of service attacks and 
has decided to give little weight to the public authority’s public interest 
arguments about this matter. 


Balance of the public interest arguments 


When considering the balance of the public interest arguments, the 
Commissioner is mindful that the public interest test as set out in the 
Act relates to what is in the best interests of the public as a whole, as 
opposed to interested individuals or groups. 


In this case the Commissioner considers that there is some weight to 
the public interest arguments on both sides. The Commissioner 
appreciates that the arguments in favour of additional accountability 
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and transparency have some weight in this case. He accepts that it is 
important for a public authority to be as transparent as possible where 
there is not a significant adverse effect. However, in the circumstances 
of this case he considers that the weight of public interest factors 
maintaining the exemption are greater than those that favour 
disclosure. He is satisfied that the disclosure of the information to the 
public would be highly likely to prejudice the public authority from its 
core functions - both because it would undermine the channels of 
communications and leave the University open to spam emails and 
their consequences. Given the negative impact this would have 

on the public authority, the Commissioner has concluded that the public 
interest favours maintaining the section 36 exemption. 


In light of the above, the Commissioner finds that the public interest 
lies in maintaining the exemption, and therefore withholding the 
disputed information outweighs the public interest in disclosure. The 
Commissioner is satisfied that the disputed information was correctly 
withheld by the public authority and upholds the application of section 
36(2)(c). 


As the Commissioner has found that section 36(2)(c) has been 
appropriately applied, he has not gone on to consider the application of 
sections 31(1)(a) or 40(2) . 


Procedural Requirements 


56. 


Section 17(3) requires that a public authority explains why the public 
interest factors that favour the maintenance of a qualified exemption 
outweighs the public interest in disclosure of the information. As noted 
in paragraph 10 above, the public authority failed to do this by the 
time of its internal review. It therefore breached section 17(3). 


The Decision 


57. 


58. 


The Commissioner’s decision is that the public authority dealt with the 
request substantively in accordance with the requirements of the Act. 
This is because it applied section 36(2)(c) appropriately to all of the 
withheld information. 


However, the Commissioner has also decided that there was a 
procedural breach of section 17(3) because the public authority failed 
to explain in either its refusal notice or internal review why it believed 
that the public interest favoured the maintenance of the exemptions 
that it applied. 
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Steps Required 


59. The Commissioner requires no steps to be taken. 
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Right of Appeal 


60. Either party has the right to appeal against this Decision Notice to the 
First-tier Tribunal (Information Rights). Information about the appeals 
process may be obtained from: 


First-tier Tribunal (Information Rights) 
GRC & GRP Tribunals, 

PO Box 9300, 

Arnhem House, 

31, Waterloo Way, 

LEICESTER, 

LE1 8DJ 


Tel: 0845 600 0877 

Fax: 0116 249 4253 

Email: informationtribunal@tribunals.gsi.gov.uk. 
Website: www.informationtribunal.gov.uk 


If you wish to appeal against a decision notice, you can obtain 
information on how to appeal along with the relevant forms from the 
Information Tribunal website. 


Any Notice of Appeal should be served on the Tribunal within 28 
(calendar) days of the date on which this Decision Notice is sent. 


Dated the 14" day of February 2011 


Pamela Clements 

Group Manager, Complaints Resolution 
Information Commissioner's Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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Legal Annex 
The Freedom of Information Act 2000 


Section 1 - General right of access to information held by public 
authorities 


(1) Any person making a request for information to a public authority is 
entitled— 


(a) to be informed in writing by the public authority whether it holds 
information of the description specified in the request, and 


(b) if that is the case, to have that information communicated to him. 


(2) Subsection (1) has effect subject to the following provisions of this 
section and to the provisions of sections 2, 9, 12 and 14. 


(3) Where a public authority— 


(a) reasonably requires further information in order to identify and locate the 
information requested, and 


(b) has informed the applicant of that requirement, 


the authority is not obliged to comply with subsection (1) unless it is supplied 
with that further information. 


Section 17 - Refusal of request 


(1) A public authority which, in relation to any request for information, is to 
any extent relying on a claim that any provision of Part II relating to the duty 
to confirm or deny is relevant to the request or on a claim that information is 
exempt information must, within the time for complying with section 1(1), 
give the applicant a notice which— 


(a) states that fact, 
(b) specifies the exemption in question, and 


(c) states (if that would not otherwise be apparent) why the exemption 
applies. 


(2) Where— 


(a) in relation to any request for information, a public authority is, as 
respects any information, relying on a claim— 


(i) that any provision of Part II which relates to the duty to confirm or deny 
and is not specified in section 2(3) is relevant to the request, or 


(ii) that the information is exempt information only by virtue of a provision 
not specified in section 2(3), and 
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(b) at the time when the notice under subsection (1) is given to the 
applicant, the public authority (or, in a case falling within section 66(3) or 
(4), the responsible authority) has not yet reached a decision as to the 
application of subsection (1)(b) or (2)(b) of section 2, 


the notice under subsection (1) must indicate that no decision as to the 
application of that provision has yet been reached and must contain an 
estimate of the date by which the authority expects that such a decision will 
have been reached. 


(3) A public authority which, in relation to any request for information, is to 
any extent relying on a claim that subsection (1)(b) or (2)(b) of section 2 
applies must, either in the notice under subsection (1) or in a separate notice 
given within such time as is reasonable in the circumstances, state the 
reasons for claiming— 


(a) that, in all the circumstances of the case, the public interest in 
maintaining the exclusion of the duty to confirm or deny outweighs the public 
interest in disclosing whether the authority holds the information, or 


(b) that, in all the circumstances of the case, the public interest in 
maintaining the exemption outweighs the public interest in disclosing the 
information. 


(4) A public authority is not obliged to make a statement under subsection 
(1)(c) or (3) if, or to the extent that, the statement would involve the 
disclosure of information which would itself be exempt information. 


(5) A public authority which, in relation to any request for information, is 
relying on a claim that section 12 or 14 applies must, within the time for 
complying with section 1(1), give the applicant a notice stating that fact. 


(6) Subsection (5) does not apply where— 
(a) the public authority is relying on a claim that section 14 applies, 


(b) the authority has given the applicant a notice, in relation to a previous 
request for information, stating that it is relying on such a claim, and 


(c) it would in all the circumstances be unreasonable to expect the authority 
to serve a further notice under subsection (5) in relation to the current 
request. 


(7) A notice under subsection (1), (3) or (5) must— 


(a) contain particulars of any procedure provided by the public authority for 
dealing with complaints about the handling of requests for information or 
state that the authority does not provide such a procedure, and 


(b) contain particulars of the right conferred by section 50. 
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Section 31(1) - Law enforcement 


“Information which is not exempt information by virtue of section 30 is 
exempt information if its disclosure under this Act would, or would be likely 
to, prejudice- 


(a) the prevention or detection of crime, 

(b) the apprehension or prosecution of offenders, 
(c) the administration of justice, 

(d) the assessment or collection of any tax or duty or of any 
imposition of a similar nature, 

(e) the operation of the immigration controls, 

(f) | the maintenance of security and good order in prisons or in other 
institutions where persons are lawfully detained, 

(g) the exercise by any public authority of its functions for any of the 
purposes specified in subsection (2), 

(h) any civil proceedings which are brought by or on behalf of a 
public authority and arise out of an investigation conducted, for 
any of the purposes specified in subsection (2), by or on behalf 
of the authority by virtue of Her Majesty's prerogative or by 
virtue of powers conferred by or under an enactment, or 

(i) any inquiry held under the Fatal Accidents and Sudden Deaths 
Inquiries (Scotland) Act 1976 to the extent that the inquiry arises 
out of an investigation conducted, for any of the purposes 
specified in subsection (2), by or on behalf of the authority by 
virtue of Her Majesty's prerogative or by virtue of powers 
conferred by or under an enactment.” 


Section 36 - Prejudice to the effective conduct of public affairs 
(1) This section applies to- 


(a) information which is held by a government department or by the National 
Assembly for Wales and is not exempt information by virtue of section 35, 
and 

(b) information which is held by any other public authority. 


(2) Information to which this section applies is exempt information if, in the 
reasonable opinion of a qualified person, disclosure of the information under 
this Act- 


(a) would, or would be likely to, prejudice- 


(i) the maintenance of the convention of the collective 
responsibility of Ministers of the Crown, or 
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(ii) the work of the Executive Committee of the Northern Ireland 
Assembly, or 

(iii) the work of the executive committee of the National 
Assembly for Wales, 


(b) would, or would be likely to, inhibit- 
(i) the free and frank provision of advice, or 
(ii) the free and frank exchange of views for the purposes of 
deliberation, or 


(c) would otherwise prejudice, or would be likely otherwise to prejudice, the 
effective conduct of public affairs. 


Section 40 - Personal information 


“(1) Any information to which a request for information relates is exempt 
information if it constitutes personal data of which the applicant is the data 
subject. 


(2) Any information to which a request for information relates is also exempt 
information if— 


(a) it constitutes personal data which do not fall within subsection (1), and 
(b) either the first or the second condition below is satisfied. 
(3) The first condition is— 


(a) in a case where the information falls within any of paragraphs (a) to (d) 
of the definition of “data” in section 1(1) of the [1998 c. 29.] Data Protection 
Act 1998, that the disclosure of the information to a member of the public 
otherwise than under this Act would contravene— 


(i) any of the data protection principles, or 
(ii) section 10 of that Act (right to prevent processing likely to cause damage 
or distress), and 


(b) in any other case, that the disclosure of the information to a member of 
the public otherwise than under this Act would contravene any of the data 
protection principles if the exemptions in section 33A(1) of the [1998 c. 29.] 
Data Protection Act 1998 (which relate to manual data held by public 
authorities) were disregarded. 


(4) The second condition is that by virtue of any provision of Part IV of the 
[1998 c. 29.] Data Protection Act 1998 the information is exempt from 
section 7(1)(c) of that Act (data subject’s right of access to personal data). 


(5) The duty to confirm or deny— 
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(a) does not arise in relation to information which is (or if it were held by the 
public authority would be) exempt information by virtue of subsection (1), 
and 


(b) does not arise in relation to other information if or to the extent that 
either— 


(i) the giving to a member of the public of the confirmation or denial that 
would have to be given to comply with section 1(1)(a) would (apart from this 
Act) contravene any of the data protection principles or section 10 of the 
[1998 c. 29.] Data Protection Act 1998 or would do so if the exemptions in 
section 33A(1) of that Act were disregarded, or 


(ii) by virtue of any provision of Part IV of the [1998 c. 29.] Data Protection 
Act 1998 the information is exempt from section 7(1)(a) of that Act (data 
subject’s right to be informed whether personal data being processed). 


(6) In determining for the purposes of this section whether anything done 
before 24th October 2007 would contravene any of the data protection 
principles, the exemptions in Part III of Schedule 8 to the [1998 c. 29.] Data 
Protection Act 1998 shall be disregarded. 

(7) In this section— 


e “the data protection principles” means the principles set out in Part I 
of Schedule 1 to the [1998 c. 29.] Data Protection Act 1998, as read 
subject to Part II of that Schedule and section 27(1) of that Act; 


e “data subject” has the same meaning as in section 1(1) of that Act; 


e “personal data” has the same meaning as in section 1(1) of that 
Act.” 


Data Protection Act 1998 


Section 1 - Basic interpretative provisions 


(1) In this Act, unless the context otherwise requires— 
° “data” means information which— 


(a) 
is being processed by means of equipment operating automatically in 
response to instructions given for that purpose, 


(b) 
is recorded with the intention that it should be processed by means of 
such equipment, 


(c) 
is recorded as part of a relevant filing system or with the intention that it 
should form part of a relevant filing system, or 
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(d) 
does not fall within paragraph (a), (b) or (c) but forms part of an 
accessible record as defined by section 68; 


° “data controller” means, subject to subsection (4), a person who 
(either alone or jointly or in common with other persons) determines the 
purposes for which and the manner in which any personal data are, or are 
to be, processed; 


° “data processor”, in relation to personal data, means any person (other 
than an employee of the data controller) who processes the data on 
behalf of the data controller; 


° “data subject” means an individual who is the subject of personal data; 
° “personal data” means data which relate to a living individual who can 
be identified— 
(a) 
from those data, or 
(b) 


from those data and other information which is in the possession of, or is 
likely to come into the possession of, the data controller, 


and includes any expression of opinion about the individual and any 
indication of the intentions of the data controller or any other person in 
respect of the individual; 


° “processing”, in relation to information or data, means obtaining, 
recording or holding the information or data or carrying out any operation 
or set of operations on the information or data, including— 


(a) 


organisation, adaptation or alteration of the information or data, 


(b) 


retrieval, consultation or use of the information or data, 


(c) 
disclosure of the information or data by transmission, dissemination or 
otherwise making available, or 


(d) 
alignment, combination, blocking, erasure or destruction of the 
information or data; 


° “relevant filing system” means any set of information relating to 
individuals to the extent that, although the information is not processed 
by means of equipment operating automatically in response to 
instructions given for that purpose, the set is structured, either by 
reference to individuals or by reference to criteria relating to individuals, 
in such a way that specific information relating to a particular individual is 
readily accessible. 
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(2) In this Act, unless the context otherwise requires— 


(a) “obtaining” or “recording”, in relation to personal data, includes obtaining 
or recording the information to be contained in the data, and 


(b) “using” or “disclosing”, in relation to personal data, includes using or 
disclosing the information contained in the data. 


(3) In determining for the purposes of this Act whether any information is 
recorded with the intention— 


(a) that it should be processed by means of equipment operating 
automatically in response to instructions given for that purpose, or 


(b) that it should form part of a relevant filing system, 


it is immaterial that it is intended to be so processed or to form part of such 
a system only after being transferred to a country or territory outside the 
European Economic Area. 


(4) Where personal data are processed only for purposes for which they are 
required by or under any enactment to be processed, the person on whom 
the obligation to process the data is imposed by or under that enactment is 
for the purposes of this Act the data controller. 
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